#!/bin/bash
# SMScanner V1.0.1 11-05-2013
# This tool will search for malware behaviour on a Linux Server
# The Supported Operating Systems are Linux / CentOS / RedHat
# We are not responsible for anything this tool causes on any system
# https://sourceforge.net/projects/smscanner/
# Thumbs up for Keizer - he made the Timthumb and DirectAdmin module
echo "Hi $USER"
echo "Keep your system always up to date!"
echo "First of all, Thank you for using this tool."
echo "Please report issues at https://code.google.com/p/webserver-malware-scanner"
echo "WARNING: We will not fix any issue, we will just warn you for breaches etc." 
echo "[Requirements]: nmap"
echo "Available options:"
echo "1) Search for Blackhole Exploitkit"
echo "2) Search for iframes"
echo "3) Same as option 1 but the results will be logged in logs/"
echo "4) Search for malicious extentions"
echo "5) Search for PHP Shells"
echo "6) Scan for open PORTS (requires NMAP)"
echo "7) Show modified files from today"
echo "8) Scan for vulnerable Timthumb versions"
echo "9) Scan for javascripts and infected .htaccess files on DirectAdmin users"
echo "U) Download the latest revision"
echo -n " Please pick your choice: "
read choice

case $choice in
1 ) echo "Where are the websites located?"
	echo "Eg. /var/www/"
	read blackhole
	find $blackhole -iname '*.*' | xargs grep --color 'try{prototype+12;)catch\|/i.php\|gzinflate\|base64_decode\|0c0d\|src.php?case=\|["e"+"val"];e("if(1)'
	read wait ;;
2 ) echo "Where are the websites located?"
	echo "Eg. /var/www/"
	read iframes
	find $iframes -iname '*.*' | xargs grep --color '/i.php\|exploit.php\|exploit'
	read wait ;;
3 ) echo "Where are the websites located?"
	echo "Eg. /var/www/"
	read locationwebsites
	mkdir -p logs
	mkdir -p lastcheck
	mv -i logs/* lastcheck
	chmod 777 logs
	find $locationwebsites -iname '*.*' | xargs grep 'i.php\|document.write\|script language=.javascript.\|<script\|iframe\|<scriptvar a\|document.writeln\|try{\|gzinflate\|base64_decode\|var url=\|date=new Date\|array(\|eval(function' > logs/Scan.log
	echo "#########################"
	echo "The Logfiles are created!"
	echo "Please review your logs folder!"
	echo "#########################" 
	read wait ;;
4 ) echo "Which folder would you like to scan?"
	echo "Eg. /var/www/"
	read extensions
	find $extensions -iname '*.exe'
	find $extensions -iname '*.jar'
	find $extensions -iname '*.rar'
	read wait	;;
5 ) echo "Which folder would you like to scan?"
	echo "Eg. /var/www/"
	read shells
	find $shells -iname '*.php' | xargs grep --color 'passthrough()\|system()\|exec()'
	read wait	;;
6 ) echo "#######NORMAL SCAN BELOW########"
	nmap -sS -O 127.0.0.1
	echo "#######NETSTAT OUTPUT SCAN BELOW########"
	netstat -nap
	read wait ;;
7 ) echo "Which directory would you like to check:"
	echo "Eg. /var/www/"
	read check
	echo "#########################"
	find $check -mtime -1 -print 
	echo "#########################"
	read wait ;;
8 ) echo "Where is the wordpress located?"
	echo "Eg. /home/wordpress/public_html/"
	read wordpress
	echo "Scanning for older versions of timthumb.php"
    find $wordpress -iname 'thumb.php' -o -iname 'timthumb.php' -print0 | xargs -0 grep --color \
    -e 'VERSION'\'', '\''1.' \
    -e 'VERSION'\'', '\''2.7' \
    -e 'VERSION'\'', '\''2.8'\''' \
    -e 'VERSION'\'', '\''2.8.1'\''' \
    -e 'VERSION'\'', '\''2.8.2'\'''        
    date
	read wait 
    ;;
9 ) echo "Where are the websites located?"
	echo "Eg. /home/*/domains/*/public_html/"
	read directadmin
	echo "Scanning all public_htmls'"
    echo "Checking .php files"
    date
	find $directadmin -iname '*.php*' -print0 | xargs -0 grep --color \
    -e 'eval(stripslashes(gzinflate(base64_decode' \
    -e 'eval(gzinflate(base64_decode' \
    -e 'gzinflate(base64_decode' 
    echo "Checking .js files"
    date
    find $directadmin -iname '*.js' -print0 | xargs -0 grep -il --color \
    -e 'try{ebgserb++;}' 
    echo "Checking .htaccess files"
    date
	find $directadmin -iname '.htaccess' -print0 | xargs -0 grep --color \
    -e '|google|' \
	-e 'RewriteCond' |
    -e '.google. [OR]' \
    -e '|yahoo|' \
    -e '.yahoo. [OR]' \
    -e '.ru/'
    echo "Checking for common exploited files"
    date
    find $directadmin -iname 'wp-image.php'
    find $directadmin -iname 'wp-stat.php'
	read wait 
    ;;
u|U ) echo "We will download the latest revision right now"
    svn checkout http://webserver-malware-scanner.googlecode.com/svn/branches/ webserver-malware-scanner
	echo "You will find the latest revision in the current directory."
	read wait 
    ;;
*) echo "\"$choice\" is not valid "
 sleep 2 ;;
esac
echo "######### Returning back... #########"
sh ${0##*/}
done